Research directions in software supply chain security

Laurie Williams, Giacomo Benedetti, Sivana Hamer, Ranindya Paramitha, Imranur Rahman, Mahzabin Tamanna, Greg Tystahl, Nusrat Zahan, Patrick Morrison, Yasemin Acar, Michel Cukier, Christian Kästner, Alexandros Kapravelos, Dominik Wermke · 2025 · DOI 10.1145/3714464

5 Pith papers cite this work. Polarity classification is still indexing.

5 Pith papers citing it

open at publisher browse 5 citing papers

citation-role summary

background 2 method 1

citation-polarity summary

background 2 use method 1

representative citing papers

Analysis of Commit Signing on Github

cs.SE · 2026-04-15 · unverdicted · novelty 8.0

Ecosystem-scale measurement shows commit signing on GitHub is rarely deliberate or sustained by developers, with rising lapse rates and unrevoked expired keys, so supply-chain security frameworks relying on it do not hold in practice.

Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills

cs.CR · 2026-05-10 · unverdicted · novelty 7.0

Malicious Skills induce coding agents to hallucinate and import attacker-controlled packages at high rates while evading detection.

Weaponizing the Commons: A Taxonomy and Detection Framework of Abuse on GitHub

cs.SE · 2026-04-20 · unverdicted · novelty 7.0

A taxonomy of GitHub abuse behaviors is proposed along with a detection framework achieving F1-scores exceeding 89% on a manually labeled dataset of 392 instances.

Classport: Designing Runtime Dependency Introspection for Java

cs.SE · 2025-10-23 · conditional · novelty 7.0

Classport adds dependency information to Java class files to enable runtime introspection of used dependencies, shown feasible on six real-world projects.

Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs

cs.SE · 2026-04-04 · unverdicted · novelty 6.0

The paper shows that heterogeneous graph attention networks can classify vulnerable components in real SBOMs at 91% accuracy and that a simple MLP can predict documented multi-vulnerability chains with 0.93 ROC-AUC.

citing papers explorer

Showing 5 of 5 citing papers.

Analysis of Commit Signing on Github cs.SE · 2026-04-15 · unverdicted · none · ref 61
Ecosystem-scale measurement shows commit signing on GitHub is rarely deliberate or sustained by developers, with rising lapse rates and unrevoked expired keys, so supply-chain security frameworks relying on it do not hold in practice.
Trust Me, Import This: Dependency Steering Attacks via Malicious Agent Skills cs.CR · 2026-05-10 · unverdicted · none · ref 56
Malicious Skills induce coding agents to hallucinate and import attacker-controlled packages at high rates while evading detection.
Weaponizing the Commons: A Taxonomy and Detection Framework of Abuse on GitHub cs.SE · 2026-04-20 · unverdicted · none · ref 40
A taxonomy of GitHub abuse behaviors is proposed along with a detection framework achieving F1-scores exceeding 89% on a manually labeled dataset of 392 instances.
Classport: Designing Runtime Dependency Introspection for Java cs.SE · 2025-10-23 · conditional · none · ref 30
Classport adds dependency information to Java class files to enable runtime introspection of used dependencies, shown feasible on six real-world projects.
Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs cs.SE · 2026-04-04 · unverdicted · none · ref 30
The paper shows that heterogeneous graph attention networks can classify vulnerable components in real SBOMs at 91% accuracy and that a simple MLP can predict documented multi-vulnerability chains with 0.93 ROC-AUC.

Research directions in software supply chain security

citation-role summary

citation-polarity summary

fields

years

verdicts

roles

polarities

representative citing papers

citing papers explorer